Secure Grafana Enterprise Metrics
These sections explain how to secure Grafana Mimir data and communication paths.
Securing GEM shares a lot of similarities with securing Grafana Mimir. For more information, see Secure Grafana Mimir.
Securing communications with TLS
In addition to the steps in Secure Grafana Mimir, you must also configure TLS for the following GEM features.
Self-instrumentation
Each GEM component can optionally remote-write its system metrics to the distributor under a system tenant ID. To secure the from each component to the distributor with TLS
set the following YAML parameters flags or their corresponding CLI flags. To set these YAML parameters in the mimir-distributed
Helm chart nest them under mimir.structuredConfig
in your values.yaml
file.
instrumentation:
distributor_client:
tls_enabled: true
tls_cert_path: /path/to/cert
tls_key_path: /path/to/key
tls_ca_path: /path/to/ca
# The following flags are also available but are not required.
tls_cipher_suites: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
tls_min_version: VersionTLS13
tls_server_name: distributor.example.com
tls_insecure_skip_verify: false
Gateway
The gateway proxies incoming requests to the different GEM components. The connections to each component can be secured with TLS.
The configuration for each component is identical. The configuration options for each component is prefixed as follows.
To set these YAML parameters in the mimir-distributed
Helm chart nest them under mimir.structuredConfig
in your values.yaml
file.
gateway:
proxy:
<component_name>:
tls_enabled: true
tls_cert_path: /path/to/cert
tls_key_path: /path/to/key
tls_ca_path: /path/to/ca
# The following flags are available but are not required.
tls_cipher_suites: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
tls_min_version: VersionTLS13
tls_server_name: component.example.com
tls_insecure_skip_verify: false
For example, to set the distributor TLS configuration, you would set the following YAML parameters.
gateway:
proxy:
distributor:
tls_enabled: true
tls_cert_path: /path/to/cert
tls_key_path: /path/to/key
tls_ca_path: /path/to/ca
# The following flags are available but are not required.
tls_cipher_suites: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
tls_min_version: VersionTLS13
tls_server_name: component.example.com
tls_insecure_skip_verify: false